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m Tm: METHOD AND "APPARATUS FOR SECURE IDENTIFICATION OF A MOBILE USER IN A COMMUNICATION 
NETWORK 

(57) Abstract 

Communication between mobile users of and in s com- 
puter network is subject to a variety of security issues; user 
'identification and user tracking are two particularly important 
ones. This invention provides a method and an apparatus for 
securely identifving a mobile user while avoiding track-ability 
of his/her movements, i.e. It provides a way for a secure user 1( 
identification in secrecy. The gist is to encrypt the user's identi- 
fier, and/or his/her password, and a &yncmcni;r.atier. indication, 
preferably a fixed time interval, under a secret one-way func- 
tion and sending the encrypted message, herein called "dynamic 
user identifier", to the user's "home authority" where he/she is 
registered. The home authority comprises correspor.dence ta- 
bic?, listing, pre-computed for every time interval (or another 
chosen synchronization), the dynam»: usn identifiers and the 
corresponding true identity of the user ant! can thus quickly de- 
cide whether* the received encrypted message originates from a 
registered user. On the other hand, an intruder is neither sole 
to detect from the encrypted messages the identity of the user 
nor can he'she tracK a user's moves. 
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i DESCRIPTION 



Method and apparatus for secure Identification of a mobile user 1n a 
communication network. 



Technical Field 

10 

This invention relates to communication between mobile users of and in a 
computer network; more specifically, ft concerns a method and an apparatus 
for establishing a way of providing secure identification of a mobile user in 
a communication network. 

15 

Background of the Invention 

In today's communication networks, user mobility is rapidly becoming an 
important and popular feature, particularly in wireless or cellular networks. 
20 While useful and desirable, this increased user mobility leads to a number 
of important security-related issues and concerns. One issue is the approval 
or acceptance of the user; another issue is the tracking a mobile user's 
movements and current whereabouts. 

25 A typical situation arising in mobile environments is when an entity, i.e. a 
user or a device, registered in a particular home domain, appears in a 
different, i.e. foreign domain. Presumably, this user's goal is to obtain 
certain services while In the foreign domain, Since this user is not known in 
the foreign domain, he/she must be authenticated and his/her "solvency" or 

so good standing must be confirmed to the authority of the foreign domain, 
Within the following specification, this process is denominated 
"authentication", as usual in the art. Of course, the oniy entity able to 
comment on the user's identity and current standing is the authority in 



his/her home domain. There are several known solutions to this problem in 
the recent literature, some of them are addressed below. However, 
authentication is not the issue that the present invention addresses. 

Of concern here is another security-related issue arising as a result of user 
mobility. It is the confidentiality of the user's identity and his/her 
movements. Ideally, only the user's home domain authority should be 
informed as to the mobile user's itinerary and current whereabouts, in the 
following, this process of establishing the identity of a mobile user, i.e. of 
determining WHO the user is trying to obtain a service from a particular 
domain actually, is denominated "identification". 

Ideally, no entity other than the user himself/herself and a responsible 
authority in the user's home domain, i.e. the subnetwork or partition of the 
network within which the user typicaliy works, should know the real identity 
and/or the current location of the mobile user. Current environments 
supporting user mobility either do not address the problem at all or base 
their solutions on hardware capabilities of the user's personal device. 

Generally, one may say that the known solutions for this problem offered by 
current state-of-the-art mobile/cellular architectures are either inadequate or 
too specific to assure a secure identification in secrecy, as detailed below. 

One of the presently available solutions is reported by M. Rahnema in (1). In 
this so-called GSM system, the mobile user Is routinely assigned a 
temporary Identify (TMSi, in GSM parlance) when he/she appears in a 
foreign domain, However, a TMSI is only assigned after the initial 
authentication of the mobile user in the foreign domain; in the process 
carried out by the latter, the user's real identity (IMS!, In GSM parlance) is 
communicated in the clear and can thus be recognized and misused by an 
intruder. 



WO%/1392© 



- 3 - 



PCT/EFS4/03542 



i Another solution is described in a specification {2} on a "Cellular Digital 
Packet Data" {CDPD) system. The approach taken by the CDPD system is 
more secure than in the above GSM solution. In the CDPD system, before a 
mobile user communicates his/her identity, he/she engages in a 

s Diffie-Hellman key exchange protocol with the local, i.e. foreign, domain 
authority. This protocol is described by W. Diffie and M Heliman in (3). As a 
result, both parties come to share a secret key. Enciphered under this key, 
the mobile user subsequently transmits his/her identity to the foreign 
domain authority. 

10 

While more secure than GSM, this approach has two major drawbacks. First, 
it allows the local, i.e. foreign, domain authority to discover the real identity 
of the mobile user. In the context of CDPD, this is not a problem in and of 
itself. However, ideally, the identity of the mobiie user should not be 

is revealed to the locai domain authority, it is sufficient for establishing his/her 
identity and current standing if if is corroborated or endorsed by the home 
domain authority. The second problem is due to the nature of the 
Diffie-Hellman key exchange protocol, its purpose is to establish a secret 
key on-the-fly. This allows an intruder to masquerade as the iocal domain 

20 authority and thus to engage in the key exchange protocol with the mobile 
user and obtain a shared key. When the mobile user then transmits its real 
identify enciphered with this same key, an intruder will simply decipher the 
transmission. 

25 other approaches are given by R. Molva ef al in {4} and by M. Seller et al in 
(5). One side aspect, relating to key distribution, is described in Applicant's 
PCT Application PCT/EP93/01989 (8), another side aspect, relating to 
password or key change, is addressed in Applicant's PCT Application 
PCT/EP93/02540 {7). 

30 

in summary, there are essentially three issues underiying the problem of 
mobile user identity and movement confidentiality. 
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i The centra! issue in maintaining a secret identity Is to prevent anyone from 
discovering a correspondence between a mobile user and a user registered 
in a particular home domain, in other words, the central issue is to keep the 
user's identity confidential. The easiest, rather intuitive solution is to assign 

5 a travelling alias to every mobile user or device when away from the home 
domain. As addressed below, this aiias can be fixed or ever-changing. 
Consequent^, a main object of the invention is to devise a method and a 
system that is adapted to and permits the use of such aiiases. 

10 The second important issue is to keep foreign domains "in the dark", if it is 
not imperative for a foreign domain to know the reai user s identify, an aiias 
should suffice, in most cases such an alias must still be corroborated by the 
home domain authority. Consequently, another object of the invention is to 
design a method and a system which enables the information flow through 

15 the network without revealing the identify of the user to the foreign domain. 
(Whether or not aliases are used, there may be reasons why the foreign 
domain authority still demands to know the reai identity of the user, in this 
case, the home domain authority may communicate the user's identity in 
secref, assuming, of course, that the two authorities have a pre-established 

20 means for secure communication. However, even in this case, the foreign 
domain originally does not know the user's identity.) 

The third issue of particular concern is to prevent identity tracking or 
correlation. Even if a mobile user adopts a travelling alias, his/her 
25 movements can still be tracked by a hostile intruder. This is especially 
possibie if the alias is fairly static, e.g. fixed for a given trip of a user or 
permanently allocated to said user. An alias of this latter type is similar to a 
long-term password; once cracked, the identity and the movements of the 
user can be compromised on a long-term basis. Consequently, a further- 
so object of the invention is to prevent the tracking by devising a system 
geared and adapted to use frequently changing aiiases without inhibiting 
the information fiow. 
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Summary of the Invention 

15 The present invention presents a solution to the above described issues, in 
brief, to minimize or avoid iraceabitify and identification of a mobile user, a 
method of assigning temporary, simple, one-time aliases to travelling users 
was devised, which is both efficient and not specific to a particuiar 
hardware. The invention allows, on one hand, for unambiguous and 

20 practically instantaneous identification of the travelling user by his home 
authority; on the other hand, an unauthorized party is unable to identify the 
mobile user or track his/her movements. 

Though the invention addresses and provides a comprehensive solution for 
25 ail three aspects discussed above, there are still some limitations that are 
difficult to circumvent. One such limitation, for example, is the need of the 
foreign domain authority to know the identify of the home domain of the 
travelling user. This is likely to be the case for quite a number of 
mobile-user environments, since charges Incurred "abroad" must be 
30 eventually propagated to the home domain. Furthermore, as mentioned 
before, only the home domain can comment on the user's current standing. 
(To solve this particular problem, one could envisage a system environment 
where communication between domain authorities is "anonymized" by a 
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1 central clearinghouse. In this case, it would be beneficial to assign aliases 
to domains so that a travelling user can reference his/her home domain by 
an alias; It then would be up to the central clearinghouse to resoh/e the 
domain aliases.) 

5 

The method according to the invention tries to reconcile two seemingly 
conflicting requirements: authentication and Identity confidentially. To 
authenticate an entity, it must first claim a certain identity and subsequently 
show or prove that it knows something that only the actual bearer of that 
to identity can possibly know identity confidentiality, on the other hand, 
demands that the same identity be kept secret. This results in a somewhat 
paradoxical situation which must be solved, 

in brief, the essence of the new method is in computing short-term travelling 
15 aliases, hereinafter called "dynamic user identifiers". A user travelling 
outside of his/her home domain can assume such an aiias and hide all 
relationship to his real identify. Moreover, this remains to be the case even 
if the foreign domain tor any unauthorized party) manages to discover the 
travelling user's password. 



Notations and Brief Description of the Drawings 



Notations Used 



25 The following notation is used throughout this description: 



0^: domain name; 

A8 X : authority of domain D x , typically an authentication server; 

U: travelling user, domiciled in domain O x ; 

30 U x : (real) name of this travelling user U; 

A u : alias or identifier of this travelling user U 

PW U : user U's password 

SUid: dynamic user identifier 
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1 S x : time interval of domain x 

T u : time interval indicator, i.e. present time of user U rounded to the 
nearest 8 value. 

5 In the drawings is depicted in 

Fig. 1 - a smartcard, useable for this invention, in both of its modes; 

Fig. 2 - an example for the information flow from the smartcard to the 
to user's home authority; 

Fig. 3 - a network with two domains for demonstrating the use of the 
invention; 

is Fig. 4 - an example for the organization of the home authority's process; 
and 

Fig. 5 ~ an example for the process at the foreign input workstation or 
terminal 

20 

Detailed Description 

Initially, every mobile user is assigned a iong-term travelling alias A u in 
addition to his permanent identify. In principle, A u does not have to be 

25 different from the user's real identifier U x \ the security of the scheme does 
not depend on A u being secret. In an environment where each user is 
equipped with a smartcard or some similar device, A u may be nothing more 
than the serial number or any other unique identifier of the user's device. A 
list of these travelling aliases A u is maintained by the home domain 

so authority alongside passwords and other user information. 

For every domain D x , a domain-wide time interval S x is selected. This time 
interval 5 X can be relatively coarse, for example an hour or a day. 
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Whan a user U, whose home domain is D x , travels to a foreign domain D y , 
he/she first needs to be identified (and authenticated). Subsequently, a 

temporary record can be created for him/her in D y to facilitate subsequent 
5 accesses in this foreign domain. In other words, if the user plans to finger 
within D y for some time, it may be advantageous to establish some 
temporary "home" for him instead of having to contact the user's home 
domain upon every access. But this is just one further possibility. The main 
goai of the Invention is the identification of a user. 

to 

A detailed description of a protocol for authentication of a user can be found 
in Moiva (4) which is herewith incorporated by reference. The exact format 
of the authentication flows is not important in the canlexi of the present 
invention. Regardless of the authentication specifics, the identity of user U 
15 must be communicated to his/her home domain authority AS X . Since user U 
cannot directly communicate with the home domain authority AS X , all 
communication has to flow through the local authority AS y . This is shown in 
Fig. 2, described further down. 

20 The authentication protocol may be optionaliy preceded by a two-flow 
Diffie-Hellman key change as described in the above-cited CDPD System 
Specification (2). in this case, the entire procedure becomes resistant to 
passive intruders since all messages can be enciphered using the new key. 

25 In general, the identification flow must include the dynamic user identifier 
SUid; this is true both for the (first) flow from the smartcard/user to the 
foreign authority AS y and the (second) flow from AS y io the user's home 
authority AS X . The dynamic user identification may consist of SUid 
straightaway or, possibly, an encrypted version of SUid, 

30 

The crucial aspect of the protocol, with respect to the confidentiality of the 
user's identity, is the computation of the dynamic user identifier SUid; it is 
computed as: 
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SUid = F(A U , T u , PW U ) 

wherein F is a strong one-way function. Examples are DES described in 
5 Publication 46 of the National Bureau of Standards, cf. (8) above under 
"References", or MD5, disclosed by Rivest in (7). in case of DES or some 
other encryption-based function, if is important to note that no additional 
secret key is necessary to compute the function F since the user's password 
PW U is sufficient for that purpose. T a is the current time rounded to the 
nearest 8 value, if the user is not equipped with a smartcard-like device, he 
enters his/her password PW U into the public workstation or other such 
terminal, i.e. the input device connected to the foreign domain authority 
AS y , For a smartcard-bound user, PW U can be either: 1. a strong key within 
the smartcard (for those smartcards that iack a keypad or other means of 
input), or 2. a combination of the smartcard's key and the user's password 
(for smartcards with input capabilities). 

As specified, the dynamic user identifier value SUid is unintelligible to the 
foreign domain authority AS y . The oniy information that the foreign authority 
AS y is able to obtain is that the mobile user registered in the (home) 
domain D K in the second flow, the foreign domain authority AS y transmits 
SUid (along other, e.g. authentication information) to the user's claimed 
home domain authority AS X , 

25 

The issue is how the home domain authority AS X determines that SUid 
corresponds to the locally registered user U, it does so by maintaining an 
up-to-date tabie which, for each native user, lists the corresponding dynamic 
SUid value. This translation or reference table is re-computed every 8 X 
interval. Since the home domain authority AS X already stores the alias A u 
and the password PW a for every user, it has all the necessary information 
to compute up-to-date translation tables. 
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i It should be noted that, since the dynamic user identifiers SUid do not 
depend on the users' current location, the translation tabies can be 
pre-computed off-line and wefl in advance. This is particularly the case when 
a relatively coarse § x value is used, e.g. one hour or one day, as mentioned 

s above. 

Of course, establishing the "real" identity of the mobile user is only half the 
work; the home domain authority AS X must then verify the authentication 
information supplied in the second flow. However, this is unrelated to the 
so problem at hand; as mentioned before, Moiva et al describe an example in 
(4). 

The following section addresses an advantageous arrangement to reduce 
the "computational overhead". In an environment where oniy few users 

15 travel outside their home domain, it can be quite inefficient and even 
wasteful to pre-compute, maintain, and search time-based alias tables for ail 
users. In this case, a way to reduce overhead is to generally require a user 
U to inform his/her home domain authority AS X in advance of intended 
travelling. Thus, the home domain authority must keep track of only those 

20 users that are currently travelling. This does not necessarily imply that 
users need to disclose their complete itinerary in advance; they simply need 
to register the beginning of each trip "abroad", i.e. to a foreign domain. 
Upon notification, the home domain authority AS X adds the travelling user 
to a special list which is utilized for time-based dynamic identifier 

25 computation. However, if is not necessary for the user to inform his/her 
home domain authority AS X upon completion of each trip; the home domain 
authority can deduce that a certain user has returned home when this user 
tries to log in with his/her real, i.e. home user ID at the home domain 
authority. 

30 

In the following, the clock synchronization between the home domain 
authority and the foreign domain authority is addressed. The assumption 
about the user maintaining a coarse clock, loosely-synchronized with the 
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1 home domain authority is certainly realistic for most environments. Clearly, 
a user equipped with a smartcard can rely on the smartcard's clock to keep 
track of the user time T u . For an "unequipped" user, a workstation's interna? 
clock wiii suffice. If is also possible for the user to enter the time manually 

s from a wall-clock or a wristwatch. Of course, the granularity of 8 X is 
decisive. Despite this obvious ease of maintaining the user time T u , it Is 
conceivable that in some cases, keeping track of T u is not possible for some 
reason. 

10 To handle this situation, the protocol can be modified in a way that either, 1. 
the local (i.e. foreign) domain authority AS y provides the time T y , or, 2. the 
user s home domain authority AS X provides it. In either case, the time must 
be supplied to the user (or his device) a priori, i.e., in an extra flow 
preceding the first flow as described above. This can be done in the open, 

is i.e. in clear text, since the time T x is not a secret value. 

To summarize, as demonstrated above, the most important factor in 
travelling incognito is to have frequently changing and seemingly unrelated 
aliases, i.e. dynamic user identifiers. As soon as constant or long-term 

so identifiers are used, identity-correlation and tracking becomes possible, 
ideally, an alias or dynamic identifier is fully disposable, i.e., use only once. 
The method according to the invention is not fully up to that standard 
because it allows aliases to be re-used within the configurable 5 X time 
interval. Consequently, if a user migrates through multiple domains within a 

25 single 8 X interval, he/she is vulnerable to some limited identity tracking. 

To avoid this, the invention offers two alternative approaches: 

1. the aliases are made dependent on the visited domain, or 
so 2. tight synchronization between the user and his/her domain authority is 
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t If the name of a foreign domain is included into the computation of a 
dynamic user identifier SUid, correlation of identify becomes impossible 
since a user migrating from one foreign domain to the next {even within a 
very short time, i.e. within a single time interval 5 X ) will do so under 

§ unrelated dynamic user Identifiers, The main drawback of this approach is 
that it needs more time. Since, in this case, the home domain authority AS X 
is unable to predict its users movements, it cannot pre-compute the 
translation tabies, Thus, when the home domain authority AS X is presented 
with a dynamic user identifier SUid and the name of the foreign domain 

10 authority D y , it is unable to resolve or interpret SUid immediately, and thus 
answer directly, since there is no pre-computed, stored translation table. 
Instead, for every registered user If, the home domain authority AS X has to 
compute the appropriate SUid vaiue using the name of Dy as one of the 
inputs. This puts a substantial load on the home domain authority AS X . 

15 

The other possibility is to maintain tight synchronization between the user 
for, rather, personal device of the user) and the home domain authority. 
This synchronization can be on the basis of time, secret sequence numbers 
or identically-seeded random number generators. This approach provides 
20 the highest level of security since It guarantees that an alias or dynamic 
user identifier is never reused. It suffers, however, from the same drawback 
as the domain-dependent aliases. Furthermore, it requires every user to 
have a reliable, tamper-proof personal device. 

25 The described time-based aliases can be realized m device-oriented 
environments, e.g., smartcards, celiular telephones, or in more traditional 
environments where a travelling user has only a password for 
authentication, in the latter case, a user is unavoidably vulnerable to 
compromised public workstations or other impersonal end-user equipment 

so which is used to access the network. One preferred example for the 
impiementafion of the invention is given below. 
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1 A particular advantageous application of the invention is in connection with 
smartcards. The simplest possible smartcard is the kind that has only a 
small display and, perhaps, an on/off switch, Inside its tamper-proof 
packaging, a smartcard maintains a clock and a secret key unique for each 

5 card. This type of smartcard was described by R. Molva et ai in (10). A 
commercial product that could be adapted to work in this mode is the 
SecurefD token described in (11). 

implementation 

10 

Figs. 1 through 5 show an implementation of the invention with smartcards 
in graphical form. The following description gives the details. 

Smartcard 1, shown in Fig. 1, comprises a serial number 2 which is usually 
is fixed to the card and unique; if also comprises a processor and a display 
screen 3, often a small LCD, all battery powered. As explained below, 
smartcard 1 has two different modes; to support the time-based dynamic 
user identification method, the following features are provided: 

20 1, It is programmed to switch either automatically or on demand between 
two modes, an "authentication mode", wherein the card displays an 
authenticator (not of concern here, as explained above) and a "user ID 
mode", wherein the card displays the dynamic user identifier SUid. The 
automatic switching occurs every so often, e.g., every fen seconds. The 

25 automatically switched smartcard is particularly aitracSive since it does 

not require any surface or hardware modifications of presently available 
smartcards. Alternatively, a mode button or switch 4 can be provided 
that allows the user to switch between the two modes. 
2. The smartcard's clock used in the authentication mode is "coarsened" 

30 when computing the user identification SUid. A separate clock for the 

user ID mode is not needed, but could still be provided. 
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1 in the user ID mode, smartcard 1 displays a 8-8 digit decimal number or 
other sequence of symbols, shown as XX XX XXX in Fig. 1, as the lime-based 
dynamic user identifier. This user identifier may include a preceding mark 5 
to indicate that the user identifier is shown. The user duly enters this as his 

5 "user ID* into the terminal or workstation for transmission to the foreign 
domain authority. As mentioned below, this input step can also be carried 
out automatically. It should be clear at this point that the dynamic user 
identifier carries the user identification only in encrypted form; no intruder 
will be able to conclude from it the true identity of the user. It should 

10 further be dear that, since the dynamic user identifier is modified after a 
given time interval, any sequence of dynamic user identifiers is apparently 
unrelated to each other and gives no visible indication of belonging to the 
same user, 

15 In the authentication mode, smartcard 1 displays another 8-8 digit decimal 
number or other symbol sequence, shown as YYY YYY YY in Fig.1. as the 
user authenticates The user enters this authenticate as his "password" into 
the terminal which in turn transmits It to the foreign domain authority. (The 
authentication process itself, as mentioned above, is no part of this 

20 invention and will thus not be described in further detail.) 

Such a smartcard could be implemented by modifying a commercially 
available smartcard like the SecurlD card referred to in (11) which 
apparently already includes a clock and a processor. For someone skilled in 
25 the art, the writing of the appropriate software - If necessary ~ and the 
adaptation of the card should not pose a problem. There is not even a 
physical modification of the card necessary if the automatic switching from 
user ID mode to authentication mode is selected. 

so Fig. 2 shows the transmission of the dynamic user identifier and the 
authenticator from smartcard 1 via the foreign domain authority 6 to the 
user's home domain authority 8. 



One preferable way is that the user inputs both values from smarlcard 1 , as 
displayed. Another way is to read the card in a terminal connected to the 
foreign authority 8. The usual automatic teller machines as used extensively 
in the banking business could be modified to do that. (Of course, for 
authentication, the user may also have to enter a password, PIN number, or 
whatever means is used by the system for the authorization process. Again, 
as mentioned above, the authorization process is no part of this invention; 
any of the conventional methods can be used,) 

The foreign domain authority 6 "knows" which home domain authority it has 
to address, This is preferably done by including an appropriate section into 
the dynamic user identifier, Aiternativeiy, a separate input can be requested 
from the user by foreign domain authority 8 to identify the user's home 
authority. 

The foreign domain authority 6 transfers the data via connection 7, indicated 
schematically in Fig. 2 as a cable, to the user's home domain authority. Of 
course, this can be anything from a two-wire connection to a radio or 
infrared communication network. An intruder deriving data from the foreign 
domain authority 6 or the connection 7 wili not be able to detect the user's 
true identity or his/her previous place of access to the system. 

Since the dynamic user identifier SUid is already encrypted, a further 
encryption for a more secure transmission is not necessary, but can of 
course still be provided. 

Fig. 3 shows a network consisting of two domains 10 and 20, each having a 
number of terminals or workstations for user access. The first domain 10 
has a bus 15, connecting its user terminals 11 to 13 and a server 14. A link, 
here shown as a line or cable, connects server 14 to a gateway 30. Some or 
all of terminals or workstations have built-in computing power. Also, the 
domain authority may be distributed and not located in a particular machine 
or server. 
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The second domain 20 also has a number of terminals or workstations 21 to 
24, here connected to a token ring 25. At least workstation 24 has built-in 
computing power and Is employed as a server for this second domain. 
s Connection 26, shown as a Sine, can as well be a wireless infrared or radio 
connection to gateway 30. 

A travelling user U who wants to access the system via terminal or 
workstation 12, and who is "at home" in domain 20, enters his/her data, i.e. 

10 identifier, password, etc., into a keyboard or other input device at terminal 
12 and/or puts his/her smartcard into a reader at the workstation. Since 
workstation 12 is - from the user's viewpoint - part of a foreign domain, 
he/she will be asked to enter his/her home domain name or if will be read 
from the smartcard. Either workstation 12 or, alternatively, the user's 

15 smartcard compute the dynamic user Identifier SUid, as described above. 
Foreign domain authority 14 receiving this dynamic user identifier is unable 
to interpret it. However, it must know the user's home domain, domain 20 in 
the present case, in order to route or transmit the encrypted data to the 
correct (home) domain via gateway 30. 

20 

Gateway 30 - or any other gateway or reiais station in the route - also is just 
able to interpret the user's correct home domain, but cannot read or 
interpret the dynamic user identifier SUid. In the present case, gateway 30 
transmits the received encrypted user identifier to the user's home domain 
25 authority 24. 

Domain authority 24, receiving the dynamic user identifier of its domiciled 
travelling user U has pre-computed up-to-date tables which list for the 
dynamic user identifiers for all all ist users, valid in the present time interval 
30 5 X . Thus, by a fast and easy table look-up, domain authority can check 
whether the received dynamic user identifier is valid and to which user if 
belongs. This is described in some more detail in connection with Fig. 4. 
Domain authority 24 may then return an appropriate message to terminal 12 
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1 (from where the user desired service) and/or go through the authentication 
process. 

As depicted in Fig. 4, when receiving a dynamic user identifier SUid, home 
5 domain authority 24 seiects the appropriate alias table 42, say T8 2 , from a 
series 41 of pre-computed tables TS 1 through T8 n according to the current 
time interval $ x . it then searches the seiected table using the supplied SUid 
value and identifies the seriai number (or some other ID) of the smartcard 
or user workstation that computed SUid. The card serial number uniquely 
10 identifies the user. Once this identification is done, an appropriate message 
can be generated at domain authority 24. 

Fig. 5 finally shows an exampie how the user's input can be processed in 
the input terminal 12 in the foreign domain. User U inputs his user ID or 

is identifier A u , his password PW U , and, optionally, the current time T u , 
rounded to the nearest time interval 5 U into workstation or terminal 12 in the 
foreign domain, Processing means 51, including an encryptor 52, encrypts 
the user's inputs, i.e. / 1 through / 3 , which correspond to PW U , A u , and T u , 
as shown in the figure. Here, the concatenation of ^ and / 2 is encrypted 

20 under DES, referred to above in (8), under the key ? 3 , determining SUid, 
which is sent to the user's home domain. There, authentication server 24 
evaluates the received dynamic user identifier SUid. 

The following is a stepwise description of the full process. 

25 

STEP 0 

First, and preferably permanently, each (home domain) authentication 
authority AS X , typically authentication server 24, computes the tables 
necessary for the process. This is done every so often, e.g., once a day. 
30 Thereby, a sequence of fables, e.g. TB V TB 2 TB n is computed, where n is 
the number of S x intervals in a day or other "long" time unit. For example, if 
S x is set to one hour, authentication server 24 computes 24 fables every 
day. 
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Each table TBj, contains as many rows as there are users in the local 
domain. Each row consists of two columns: 
■■" user name U, and 

5 - the result of applying one-way function F(A U , T u , PW U ), where PW U is the 
password or PIN of user U and T f = T Q \8 X . 

I 0 is the absolute time at the beginning of the computation start, i.e., if 
computation is done every day, then T Q is set to midnight. 

to 

This ends the first pari of the process, i.e. the table computation. The 
following, second part concerns the identity resolution. To enable an easy 
understanding, it shall be described in several steps. 

15 STEP 1 

A user U travels to a foreign domain. At a terminal or workstation in this 
foreign domain, say terminal 12 of domain 10 in Fig. 3, he/she enters his/her 
user ID U x or alias A u , the S x value, and his/her password (or PIN) PW U 
into the workstation. From the input values, the workstation (software 
20 and/or hardware) computes the dynamic user identifier 

SUid - F( A u , T u , PW U ), 

where T u is the local time on the workstation, rounded off to the nearest 3 X , 
I.e. seconds, minutes or hours, depending on what units <5 y is measured in. 

25 x 

Note that if is not required for the workstation to have a clock; in that case, 
the user also enters the time T u , e.g. by consulting his watch. 



30 



In addition, the user enters some authentication information into the 
workstation. It is not relevant to the present invention what this 
authentication information is. 
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1 STEP 2 

The workstation sends the SUid value along with the authentication 
information to the user's home domain authority AS X , e.g. to tormina! (or 
workstation) 24 in domain 20. This may be done indirectly: workstation 12 
s can first forward the data to its own local authority AS y , e.g. workstation 14 
of domain 10 which, in turn, then sends the data on to AS X , here terminal or 
workstation 24. 

STEP 3 

10 When the data reaches AS X , i.e. workstation 24, if first obtains its local time 
T x . Then, it computes 

) = (T x ~ 7q)/ 8 x , using Integer division, and 

k - (T x - T Q )% 8 X . wherein % is the modulus operator. 

15 STEP 4 

Next, AS X , i.e. workstation 24, searches the table TBj (pre-cornputed in Step 
0), using SUid as the search value. 

STEP 4a 

20 |f the search is successful, the table entry points to user U. 
STEP 4h 

If the search is unsuccessful, domain authority AS X , i.e. workstation 24, may 
(depending on the value of k) search either T3j _ 1 or T3j + ^ 

25 

STEP 5 

Once user U is identified, domain authority AS X , I.e. workstation 24, verifies 
the authentication information that arrived along with a SUid, as known in 
the art. Again, details of this process are not relevant to the present 
30 invention. 
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1 STEP 8 

When domain authority AS X , i.e. workstation 24, is satisfied that SUid 
corresponds to a valid user U and the accompanying authentication 
Information is correct, it responds to the remote domain authority AS y , here 
5 server 14 in domain 10, and communicates that SUid is a legitimate user 
who is authorized to obtain service. 

Obviously, the above-described process does not use a smartcard. If an 
"intelligent" card like smartcard 1 is to be used, the only change would be in 
10 Step 1. Instead of entering the info info the workstation, the user would 
simply read out the value displayed on the smartcard in its user ID mode 
and enter it into workstation 12. Alternatively, this value can be 
machine-read by workstation 12. This value is the SUid already computed 
by smartcard 1 in the same way as the workstation does it in Step 1 above. 

15 

To summarize, at the end of Step 8, domain authority AS y , here workstation 
12, can be assured that user U is a legitimate user while, at the same time, 
the domain authority does not and cannot discover the user's identity, in 
fact, domain authority AS y only knows SUid which is nothing but a 
20 short-term alias. The correspondence between SUid and U x is known only to 
the user U and his/her home domain authority AS X , 

There are obviously many variations of this invention imaginable, ranging 
from wireless, e.g. radio or infrared, transmission to multiplexing when 

25 serving several users simultaneously, in a wireless domain, a single server 
could be used as transceiver and domain authority simultaneously. 
Synchronization can e.g. be achieved by radio-controlled clocks or other 
synchronization devices. Smarfcards could be carrying any meaningful 
computing power in order to make the terminals as robust as possible. Ail 

so these variations could still be using the essential principles of this invention 
as defined in the appended claims. 
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CLAIMS 

A method for secure identification of a mobile user U in a 
communication system with a plurality of distributed users grouped to 
domains or subsets D x , D y within the system, each said user having an 
identifier A u and a password or other secret authersficator PW U , said 
identifier and said password being stored in said user's home domain 
D u , said method including a synchronization indication, preferably 
applying a time interval indication T u , synchronizing said user's U input 
in a foreign domain D y with his/her home domain D u , 

comprising the steps of: 

- encrypting under a secret function, particularly a one-way function, 
at least one of the group consisting of said identifier A u , said time 
interval or other synchronization indication T u , and said user's 
password PW U or other secret authenticate^ and building an 
encrypted message, 

- indicating to said foreign domain D y , from which said user U 
intends to communicate, said user's home domain D u , 

- - transmitting said encrypted message to said user's home domain 
D UI 

- evaluating in said user's home domain D y said encrypted message 
and determining the true identity of said user. 

The identification method of claim 1. with distributed workstations 
and/or terminais (11-14, 21-24) grouped to domains or subsets D x , D y 
(10, 20) within the system, wherein 

the encryption step is carried out in the foreign domain D y and the 
encrypted message transmitted to said user's home domain D u for the 
evaluation. 
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The identification method of claim 1, using 'intelligent" portable input 
means, preferably smartcards (1), with built-in computing power, 

the encryption is carried out in said portable input means and the 
encrypted message transmitted to said user's home domain D u for the 
evaluation. 

The identification method of claim 3, wherein 

at least part of the entry into the foreign domain D y is done from the 
portable input means, preferably by machine-reading the laiier. 

The identification method of any of the claims 1 through 3, wherein 

- if the determining step is successful, an approval message from 
the home domain D u is transmitted, in particular to the foreign 
domain D y , 

~~ if the determining step is unsuccessful, an appropriate disapproval 
is Indicated. 

The identification method of claim 1, wherein 

- the secret function is a one-way function 
SUid - F(A U T u PW U ] 

encrypting the identifier A u , the time interval indication T u or other 
synchronization indication, and the user's password PW U or other 
secret authenticaior, and/or 

- the identifier A u is an alias or secondary identifier of user U. 

The identification method of any preceding claim, wherein 
In the home domain D u , prior to a respective time interval 8 U or other 
synchronization interval indication, one or more potential encrypted 
messages for a Mure time interval are pre-computed and stored in a 
reference/translation table (42). 
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i 8. The identification method of ciairn 7, wherein 

the reference/translation table (42) in the home domain D u is 
established selectively, in particular only for selected mobile users 
known to be moving, 

5 

9. The Identification method of claim 1, wherein 

for each domain D x , a domain-wide time interval <5 X is selected, said 
selected time interval being one or more hours or a day. 

to 10. The identification method of claim 1, wherein 

the synchronization means includes identically seeded random-number 
generators and/or secret sequence numbers. 

A portable input means, in particular a smartcard (1), adapted for use in 
a communication system according to any of the claims 1 - 10, having a 
secret key unique for each input means and a clock, further comprising 
means for switching said input means between an identification mode 
and a user ID mode in which it displays the encrypted message. 

20 12. The input means of claim 11, wherein 

switching said input means is done by a manual mode switch (4) for 
manually switching said input means between its modes and/or an 
automatic mode switch for automatically switching said input means 
time-dependant between its modes, 

25 

13. A system for secure identification of a mobile user in a communication 
network including a plurality of distributed workstations or terminals 
(11-14, 21-24} grouped to domains or subsets D x D y (10, 20) within said 
network, said user having an identifier A u and a secret authenficator 
so PW U , 

means for encrypting (Fig. 5) under a secret function, particularly a 
one-way function, at least one of the group consisting of said 
identifier A u , a synchronization indicator 7^. and said user's 
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authenticator PW U , for building a first message, and indicating said 
user's home domain D u , 

- means for transmitting (16, 26, 30) said first message to said user's 
home domain D u , 

- means for receiving (Fig. 4} in said user's home domain D u (20) 
said first message, and determining the true identity of said user 
U. 

The identification system o? claim 13, wherein 

message controi and handling within the foreign domain D y (10) and/or 
within the home domain D u {20} is done within and hy a domain 
authority or an identification server AS y (14) or AS U (24), respectiveiy, 

15, The identification system of ciaim 13, inciuding 
is in a domain authority AS U (24), means (41) for storing a plurality of the 

translation tables (42). 
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